Did you read the reddit thread where I pointed out madaidan’s inaccuracies?
Madaidan pointed to DMA security issues, but the Librem 5 uses serial buses that don’t allow DMA. When I pointed this out, madaidan said that it was just an example, but he couldn’t point to an example that was pertinent to the Librem 5 to prove his point.
Madaidan argued that USB in Linux is insecure. When I questioned him about it because his link didn’t prove that point, his only argument was that the Linux kernel is written in a memory insecure language, but Android is also using a Linux kernel written in a memory insecure language. Maybe Android does something different with USB that makes it more secure than standard Linux (I don’t know), but madaidan didn’t bother trying to prove his point.
Madaidan didn’t know that Purism plans to implement software kill switches in addition to hardware kill switches and it will be possible to turn off the GNSS while using the WiFi or cellular modem.
Madaidan argues that apps will be insecure in the Librem 5, but when I pointed out that flatpack will use bubblewrap, he simply responded that flatpack didn’t implement bubblewrap well and didn’t provide any information to prove why flatpack+bubblewrap would be insecure.
The biggest inaccuracy of madaidan’s article was that he leaves the reader with the impression that a person buying an Android phone is going to safer than a person buying a Linux phone. It is fine to point out the security features in the Android kernel, but he and Micay had no real response to my post:
what do you think about the amount of malware found by AV-Test in Android vs Linux?
AV-Test reports the following breakdown of the malware that it found in the first half of 2016:
Windows 67.21%
Script: 19.10%
Android: 7.48%
MacOS: 0.07%
Mobile: 0.01%
DOS: 0.01%
Linux: 0.02%
Other: 6.10%
Unfortunately, this was the last time that AV-Test reported the amount of Linux malware, so we don’t have a more up-to-date comparison.AV-Test reports that the amount of new Android malware discovered each year has diminished, but it is still very high:
2014: 1.02 M
2015: 2.57 M
2016: 6.13 M
2017: 6.20 M
2018: 5.54 M
2019: 3.17 MYou and u/madaidan have pointed to a number of ways that Android is better designed for security then Linux. However, I look at these numbers from AV-Test and I have to ask if I want to run an ecosystem on my phone, where 3.17 million new pieces of malware and 1.69 million new potentially unwanted applications were found in 2019.
Even if I only install apps found in the Google Play Store, this study found that many of the apps in the Play Store are counterfeits which contain malware or ask for more permissions than are needed.
On my mobile devices, I install LineageOS and only install apps that I find in the F-Droid repo, so I know that I can avoid a lot of the garbage out there, but those are not the sorts of measures that the average user knows how to do.
Maybe this difference is simply because Linux only has about 20 million desktop users worldwide, so it isn’t a very interesting target for the developers of malware. However, I think that there are a number of factors that will help keep malware out of mobile Linux as it grows. Users of mobile Linux are likely to use repos like the PureOS Store that only accept FOSS apps and inform them about data collection (e.g., badges for privacy), which are likely to deter most bad actors.
People will flock to mobile Linux precisely because they are trying to avoid the surveillance Capitalism of Google and lack of transparency at Apple, so there will be efforts to exclude apps that violate privacy or hide their code. Because there will be less opportunity to monetize user data, display advertising, etc, there will be fewer apps that are created and fewer that need review for security flaws. With free software apps, people are more likely to join the developers of an existing app or fork an exiting code base that has already been well scrutinized for security, rather than create a bunch of buggy apps from scratch, as happens in Android and iOS.
Kyle Rankin has said that Purism is looking into implementing the Librem Key for tamper-evident booting on the Librem 5. (I personally would prefer this be implemented with hashes of the boot files and keys stored on the OpenPGP card.)
Kyle Rankin’s article on the OpenPGP smartcard in the Librem 5 seems to indicate that it will be used as a keystore. I would like to see something more detailed, but Purism does appear to be thinking about this issue.
This was madaidan’s strongest argument. However, there is no way that Purism alone can implement kernel hardening, and this will take a concerted effort involving many people at the Linux kernel and in the different Linux distros to implement these security features. Google, an organization with virtually unlimited resources, has spent years working on it. It is unrealistic to demand that Purism do this, with its tiny team of 8 programmers working on the Librem 5.
Kyle Rankin has indicated that Purism intends to provide firmware updates for the Librem 5. This is another thing that Madaidan got wrong, because he didn’t bother to look at Purism’s documentation and see the instructions on flashing the firmware for the RS9116 WiFi/Bluetooth.
It is worth pointing out that the Librem 5 has a much higher probability of getting firmware updates than most Android phones, because the standard mobile phone SoC (Snapdragon, Exynos, Helios, Tiger/SCXXXX, Kirin or Surge) only gets produced for 1 - 2 years and only gets firmware and driver updates for 2.5 - 3.5 years. In contrast, the i.MX 8M Quad is guaranteed to be manufactured till Jan 2028 and receive updates from NXP for the next decade. Most of the other components in the Librem 5 have long production lifecycles, so they are also more likely to get future firmware updates. Because the drivers are all FOSS, they can be maintained and updated by the community and NXP and Redpine Signals help maintain the mainline Linux drivers for their devices. Unlike Android phones, the Librem 5 will be using a recent mainline Linux kernel, so it will keep getting security updates in the kernel.
We can ask for more concrete plans from Purism on some of these points, but it is clear that Purism has to get the phone out the door, so Purism has to focus on making a working phone first. Things like power management and cameras have to take priority over new security features right now.